Closed
Bug 666604
Opened 13 years ago
Closed 13 years ago
Allow untrusted events to trigger a link
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla7
People
(Reporter: smaug, Assigned: smaug)
References
(Depends on 1 open bug)
Details
(Keywords: regression, Whiteboard: [landed m-c 7/06] [semi-widespread Web regression, cmnt #66-7])
Attachments
(5 files, 4 obsolete files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
bzbarsky
:
review+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
mounir
:
review+
|
Details | Diff | Splinter Review |
Webkit and Opera do this. Haven't tested on IE.
Updated•13 years ago
|
Assignee: Olli.Pettay → dzbarsky
Updated•13 years ago
|
OS: Linux → All
Hardware: x86 → All
Version: unspecified → Trunk
Assignee | ||
Comment 2•13 years ago
|
||
Which was fixed before Bug 289940, which would have fixed it too, I think.
Comment 3•13 years ago
|
||
With bug 583514 fixed, I think we need to do this for web compat. Lots of sites seem to expect that click() on an <a>, if present, will trigger the link, and it doesn't right now due to this bug...
I don't think there's really anything you can do with click events on anchors that you can't do by setting location.href or calling window.open, from a security perspective. We'd need to check that you can't bypass the popup blocker with it, I guess.
tracking-firefox6:
--- → ?
tracking-firefox7:
--- → ?
Assignee | ||
Comment 4•13 years ago
|
||
David, if you're busy with other things, assign this to me.
Updated•13 years ago
|
Assignee: dzbarsky → Olli.Pettay
Comment 5•13 years ago
|
||
Looks like this is causing bug 666955 / bug 666674, which breaks some key functionality in a commonly used Ajax / web control library for ASP.NET (http://www.telerik.com/products/aspnet-ajax/ajax.aspx).
For my company, this means we will likely have to recommend our customers not to use Firefox 5 with our multi-million user educational intranet application. I suspect the RadAjax controls controls are fairly common on corporate intranet applications. I'd therefore strongly vote for a 5.01 fix, but I know that Mozilla doesn't care about corporates :-).
Assignee | ||
Comment 6•13 years ago
|
||
(I don't know why you think Mozilla doesn't care about corporates.
If some mozillian says something like that, it doesn't necessarily mean
everyone in the project agrees with that.)
Anyway, patch coming, and I certainly think this must be fixed for Fx6, which
will be released in August.
Assignee | ||
Comment 7•13 years ago
|
||
Uploaded to tryserver. We may have tests which check that
untrusted events *don't* active links.
Assignee | ||
Comment 8•13 years ago
|
||
Attachment #542772 -
Attachment is obsolete: true
Updated•13 years ago
|
Comment 9•13 years ago
|
||
> We'd need to check that you can't bypass the popup blocker with it, I guess.
The test should probably cover both synthetic ctrl+click and synthetic normal clicks on links with target=_blank.
Similarly, I don't want sites to be able to synthesize alt+click and cause Firefox to download something it normally wouldn't download.
Assignee | ||
Comment 10•13 years ago
|
||
The patch allows synthetic clicks to trigger link only when
!ctrl && !alt && !meta && !shift.
And the test does cover the ctrl case (alt, meta and shift are handled the same way)
I'm not sure how we should handle target="_blank" .
Assignee | ||
Comment 11•13 years ago
|
||
The patch gives the same _blank handling what Chrome has.
Comment 12•13 years ago
|
||
What is Chrome's behavior?
Assignee | ||
Comment 13•13 years ago
|
||
A new tab is opened, even if click is dispatched using a timer.
Comment 14•13 years ago
|
||
Let's not do that.
Comment 15•13 years ago
|
||
> I'm not sure how we should handle target="_blank" .
The same way as window.open(), I would think.... Why is the popup blocker not kicking in?
Comment 16•13 years ago
|
||
In particular, OnLinkClickEvent::OnLinkClickEvent saves the popup control state, and then pushes it before doing OnLinkClickSync. So I'd expect the popup blocker to work here...
Assignee | ||
Comment 17•13 years ago
|
||
Ah, Chrome's behavior depends on whether the test is local file or not.
If not, _blank pages aren't opened.
Assignee | ||
Comment 18•13 years ago
|
||
Better patch coming.
Assignee | ||
Comment 19•13 years ago
|
||
Hmm, no, the problem wasn't what I was thinking about.
Assignee | ||
Comment 20•13 years ago
|
||
A testcase with some timers http://mozilla.pettay.fi/moztests/a_click.html
Assignee | ||
Comment 21•13 years ago
|
||
Push the cx to stack if untrusted event triggers the link.
With that popup blocker works the same way as with window.open() when
target="_blank"
Attachment #542801 -
Attachment is obsolete: true
Attachment #542881 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 22•13 years ago
|
||
Pushed to try.
Assignee | ||
Comment 23•13 years ago
|
||
(In reply to comment #17)
> Ah, Chrome's behavior depends on whether the test is local file or not.
> If not, _blank pages aren't opened.
Hmm, I'm not sure about this anymore. _blank is opened sometimes, but
not always.
Assignee | ||
Comment 24•13 years ago
|
||
Just to clarify, comment 23 was about Chrome.
Comment 25•13 years ago
|
||
I would really prefer a required argument to TriggerLink and for that matter on OnLinkClick. For the latter, there are only two callers, and one of them already passes all the args anyway and you're changing the other one.
Also, would it make more sense to make the booleand "aIsTrusted"? There would be fewer negatives in the code that way, I think....
Comment 26•13 years ago
|
||
Oh, to be clear in general this looks fine.
Assignee | ||
Comment 27•13 years ago
|
||
Attachment #542881 -
Attachment is obsolete: true
Attachment #542904 -
Flags: review?(bzbarsky)
Attachment #542881 -
Flags: review?(bzbarsky)
Comment 28•13 years ago
|
||
Comment on attachment 542904 [details] [diff] [review]
v4
r=me
Attachment #542904 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 29•13 years ago
|
||
Compiling now a patch for Fx5 (with nsILinkHandler_5_0 so that there is no
need for an interface change)
Assignee | ||
Updated•13 years ago
|
Attachment #542904 -
Flags: checkin?
Keywords: regression
Assignee | ||
Comment 30•13 years ago
|
||
Attachment #542911 -
Flags: review?(bzbarsky)
Updated•13 years ago
|
Keywords: checkin-needed
Comment 31•13 years ago
|
||
Comment on attachment 542911 [details] [diff] [review]
For fx5
r=me
Attachment #542911 -
Flags: review?(bzbarsky) → review+
Comment 32•13 years ago
|
||
Are we really taking patches for Firefox 5? I though Firefox 6 will be the update.
Comment 33•13 years ago
|
||
There's discussion that we might do a Firefox 5 respin *for this bug*.
Comment 34•13 years ago
|
||
(In reply to comment #33)
> There's discussion that we might do a Firefox 5 respin *for this bug*.
Oh sorry, I didn't know.
Assignee | ||
Comment 35•13 years ago
|
||
Technically this is not a regression, or it is a very old regression.
Some web pages just happen to rely click() to do one thing (dispatch click event
as we do), and untrusted click to activate link (which we haven't done since Bug
265176).
Assignee | ||
Comment 36•13 years ago
|
||
The previous patch for trunk missed a parameter rename.
Assignee | ||
Updated•13 years ago
|
Attachment #542904 -
Flags: checkin?
Assignee | ||
Updated•13 years ago
|
Attachment #543104 -
Flags: checkin?
Comment 37•13 years ago
|
||
(In reply to comment #35)
> Technically this is not a regression, or it is a very old regression.
I see dates like 2004. Is this a regression from 4-5? If it's that old I doubt we need to spin a 5.0.1 for this.
Assignee | ||
Comment 38•13 years ago
|
||
The issue is that we added .click to <a>, and that click() dispatches
untrusted click, like it should, but does not trigger the link.
And for unknown reasons web pages have code like
if (a.click) {
a.click();
} else {
window.location = a.href;
}
Comment 39•13 years ago
|
||
The behavior in this bug is not new.
Sites exercising this codepath is new, and is a regression from 4 to 5.
Comment 40•13 years ago
|
||
OK, thanks.
Comment 41•13 years ago
|
||
(In reply to comment #32)
> Are we really taking patches for Firefox 5? I though Firefox 6 will be the
> update.
Firefox 6 is the "scheduled" update. There's always the possibility of an interim release ("chemspill") if we broke the web. It's expensive (in time and resources) so we have to balance how broken vs. how soon a planned fix can come.
Comment 42•13 years ago
|
||
I put this on the agenda for today's Aurora meeting since that's the right audience. First time someone has wanted a chemspill for compatibility.
Updated•13 years ago
|
Keywords: sec-review-needed
Assignee | ||
Comment 43•13 years ago
|
||
Comment 44•13 years ago
|
||
This seems like the kind of patch that could have unintended compatibility effects, too. Could we back out bug 583514 for Firefox 5.0.x instead?
Assignee | ||
Comment 45•13 years ago
|
||
No. It changed interfaces.
Comment 46•13 years ago
|
||
tracking-firefox6+ per triage meeting
Does comment 43 mean this is no longer checkin-needed and should be RESOLVED-FIXED? If not, what is checkin-needed?
Please make an approval-aurora request for the appropriate patch so this can get into Aurora soon.
Assignee | ||
Comment 47•13 years ago
|
||
Comment on attachment 542911 [details] [diff] [review]
For fx5
We could take this patch to aurora.
Attachment #542911 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•13 years ago
|
Keywords: checkin-needed
Assignee | ||
Updated•13 years ago
|
Attachment #543104 -
Flags: checkin?
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 48•13 years ago
|
||
If a modifier key is physically pressed and then the link is triggered by an untrusted event, does the link act as if the key was pressed or not?
Assignee | ||
Comment 49•13 years ago
|
||
It acts as if the key was not pressed.
Updated•13 years ago
|
Comment 50•13 years ago
|
||
Comment on attachment 542911 [details] [diff] [review]
For fx5
Please re-request approval on the patch after all reviews are completed. (Security review still pending.)
Attachment #542911 -
Flags: approval-mozilla-aurora?
Comment 51•13 years ago
|
||
test7() seems backwards. It should be testing that the link does *not* open (at least not in a new window). Why is it passing?
Assignee | ||
Comment 52•13 years ago
|
||
test7 relies on dom.disable_open_during_load to be false,
and that is set false for mochitests.
(we have way too many prefs for popup handling, and the naming of them isn't
quite right).
I'll add a test for dom.disable_open_during_load=true
Assignee | ||
Comment 53•13 years ago
|
||
Attachment #544189 -
Flags: review?(mounir)
Comment 54•13 years ago
|
||
Comment on attachment 544189 [details] [diff] [review]
+additional test
Review of attachment 544189 [details] [diff] [review]:
-----------------------------------------------------------------
Could you explicitly set dom.disable_open_during_load to false in test7?
In addition, I do not really like the setTimeout(test9, 1000). Can't you use the click event and go X time to the event loop to assume nothing happened?
Assignee | ||
Comment 55•13 years ago
|
||
(In reply to comment #54)
> Could you explicitly set dom.disable_open_during_load to false in test7?
Why?
> In addition, I do not really like the setTimeout(test9, 1000). Can't you use
> the click event and go X time to the event loop to assume nothing happened?
I don't understand what you mean. X time to the event loop?
Assignee | ||
Comment 56•13 years ago
|
||
Attachment #544189 -
Attachment is obsolete: true
Attachment #544209 -
Flags: review?(mounir)
Attachment #544189 -
Flags: review?(mounir)
Comment 57•13 years ago
|
||
Comment on attachment 544209 [details] [diff] [review]
+additional test
Review of attachment 544209 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/base/test/test_bug666604.html
@@ +137,5 @@
> + ok(false, "Click() should not activate a link");
> + setTimeout(test9, 0);
> + }
> + testlink.click();
> + hitEventLoop(10, test9);
I would have make gActivated being a variable, testlink.href setting it to "true" and hitEventLoop calling:
function() {
ok(!gActivated, "...");
gActivated = false;
test9();
}
Though, what you did should work too.
Attachment #544209 -
Flags: review?(mounir) → review+
Assignee | ||
Comment 58•13 years ago
|
||
Comment 59•13 years ago
|
||
Does not work in firefox 6 beta, confirmed to work in the Aurora version.
Comment 60•13 years ago
|
||
That would be a neat trick, since this fix didn't land in aurora yet.
Olli, is there a security review scheduled for this at least?
status-firefox6:
--- → affected
status-firefox7:
--- → affected
(In reply to comment #60)
> That would be a neat trick, since this fix didn't land in aurora yet.
It landed before the merge, no?
Comment 62•13 years ago
|
||
Oh, the testcase is what landed after the merge. Nevermind me....
status-firefox7:
affected → ---
Target Milestone: --- → mozilla7
Assignee | ||
Comment 63•13 years ago
|
||
I did ask for a sec review. No idea when it could happen.
Updated•13 years ago
|
status-firefox7:
--- → fixed
Comment 64•13 years ago
|
||
sec-review-complete, fix is limited in scope to links (as opposed to changing events themselves) and doesn't regress old related security bugs.
Didn't intend for "sec-review-needed" to block landing (we do many reviews post-landing), would have put an explicit review request on the patch if I did.
Keywords: sec-review-needed → sec-review-complete
Assignee | ||
Updated•13 years ago
|
Attachment #542911 -
Flags: approval-mozilla-beta?
Comment 65•13 years ago
|
||
Discussed this request in approval triage today. Late-landing this in the beta cycle, which is supposed to be exclusively for backouts of bustage caused in this branch feels like a bad idea, but blizzard thinks that we need to be willing to make exceptions for major web compatibility fixes.
We in the room couldn't get a good sense of how widespread this bustage was, though - it feels like a weird pattern to synthesize click events on links, but we know one framework seems to use it. Smaug, bz - any intuitions here on it being more widespread than we think? Otherwise it feels like letting people get this fix in 7 is the right choice, since we don't take changes on aurora/beta that aren't current-version-bustage-fixes.
Assignee | ||
Comment 66•13 years ago
|
||
calling <a>.click() doesn't cause us to follow the link.
In Fx4 we didn't have <a>.click();
For some mysterious reason code mentioned in comment 38 is used quite often.
Also, see all the bugs this bug fixed.
Comment 67•13 years ago
|
||
Johnathan, we have 6 independent reports of this issue, from sites using at least 3 different frameworks that all have essentially the same code, structured like comment 38. It seems to be a common workaround for a bug in some old browser (old IE version, I'm guessing based on other code involved) that doesn't send a referrer on location.href sets. As a result, sites that want to track the referrer do this hack with .click if it's present and setting location if it's not present (this last presumably to work with gecko-based browsers).
So yes, it's a weird pattern, but it's being done for very logical reasons, and the usage seems to be somewhat widespread.
Updated•13 years ago
|
Whiteboard: [landed m-c 7/06] [semi-widespread Web regression, cmnt #66-7]
Updated•13 years ago
|
Attachment #542911 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 68•13 years ago
|
||
Comment 69•13 years ago
|
||
In terms of working around the issue in 5.x, what would be the best way to detect if a given event object will actually be allowed to open a new link without resorting to browser + version detection?
Previously I relied on event.isTrusted === false but it seems this new fix retains synthetic events as untrusted but simply changes their policy, so now what? :/
Comment 70•13 years ago
|
||
> what would be the best way to detect if a given event object will actually be
> allowed to open a new link
Condition it off event.isTrusted after testing via object-detection (e.g. by using an untrusted click event in a hidden iframe) whether untrusted events are allowed to trigger links?
There's really no good way to object-detect security policy without trying to do something that the policy might disallow and seeing whether it's allowed, in general.
Comment 71•13 years ago
|
||
Version detection may be the lesser evil here then - it seems to be a fairly moz-specific peculiarity at least
Comment 72•13 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110810 Firefox/8.0a1
Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0
Verified issue on Win XP, Win 7, Mac OS X 10.7 and Ubuntu 11.04 using the test case attached in the description.
Setting resolution to VERIFIED FIXED.
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Flags: sec-review+
You need to log in
before you can comment on or make changes to this bug.
Description
•